Re: [Qemu-devel] [PATCH v2] hw/block: report when pflash backing file isn't aligned

From: Markus Armbruster <armbru@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "Alex Bennée" <alex.bennee@linaro.org>,
	qemu-devel@nongnu.org, stappers@stappers.nl, armbru@redhat.com
Subject: Re: [Qemu-devel] [PATCH v2] hw/block: report when pflash backing file isn't aligned
Date: Fri, 15 Feb 2019 17:01:18 +0100	[thread overview]
Message-ID: <87lg2hujld.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <60e020d0-ad5d-6b86-e492-1d3c91c48a13@redhat.com> (Laszlo Ersek's message of "Fri, 15 Feb 2019 15:08:39 +0100")

Laszlo Ersek <lersek@redhat.com> writes:

> On 02/15/19 13:28, Alex Bennée wrote:
>> It looks like there was going to be code to check we had some sort of
>> alignment so lets replace it with an actual check. This is a bit more
>> useful than the enigmatic "failed to read the initial flash content"
>> when we attempt to read the number of bytes the device should have.
>> 
>> This is a potential confusing stumbling block when you move from using
>> -bios to using -drive if=pflash,file=blob,format=raw,readonly for
>> loading your firmware code.
>> 
>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>> 
>> ---
>> v2
>>   - use PRIu64 instead of PRId64
>>   - tweaked message output
>> ---
>>  hw/block/pflash_cfi01.c | 20 ++++++++++++++------
>>  1 file changed, 14 insertions(+), 6 deletions(-)
>> 
>> diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
>> index bffb4c40e7..7532c8d8e8 100644
>> --- a/hw/block/pflash_cfi01.c
>> +++ b/hw/block/pflash_cfi01.c
>> @@ -722,12 +722,20 @@ static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
>>      }
>>      device_len = sector_len_per_device * blocks_per_device;
>>  
>> -    /* XXX: to be fixed */
>> -#if 0
>> -    if (total_len != (8 * 1024 * 1024) && total_len != (16 * 1024 * 1024) &&
>> -        total_len != (32 * 1024 * 1024) && total_len != (64 * 1024 * 1024))
>> -        return NULL;
>> -#endif

pflash_cfi02_realize() has the same XXX.

There's a pair of related XXXs in taihu_405ep_init().  Related because
@total_len is computed like this

    total_len = pfl->sector_len * pfl->nb_blocs;

and the two factors come from callers of pflash_cfi01_realize(),
pflash_cfi02_realize(), or from ve_pflash_cfi01_register(),
xtfpga_flash_init().  Aside: the latter two are slight variations of
pflash_cfi01_realize() which I'm going to clean up.  Some of these use
fixed sizes (good, real machines do that, too).  Some of them compute
them from blk_getlength(), with varying levels of care.

I'm afraid we need to take all that into account.

Let's take a step back and consider sane requirements.

The size of the flash chip is a property of the machine.  It is *fixed*.
Using whatever size the image has is sloppy modelling.

A machine may come in minor variations that aren't worth their own
machine type.  One such variation could be a different flash chip size.
Using the image size to select one from the set of fixed sizes is
tolerable.

Aside: the image size can change between the place where we get it to
pick a flash chip size and realize().  I guess that's a "don't do that
then".

If the image size matches the flash chip's size exactly, all is well.

Should we require the size to match the flash chip's size?

If we accept a smaller image, we want to pad with zeros.  What about
writes beyond the size of the image?  Discard them, or let them extend
the image file?

If we accept a larger image, we want to ignore its tail.

Sorry for turning the tiny issue your patch tries to address into a much
larger one...

>> +    /*
>> +     * Validate the backing store is the right size for pflash
>> +     * devices. It has to be padded to a multiple of the flash block
>> +     * size.
>> +     */
>> +    if (pfl->blk) {
>> +        uint64_t backing_len = blk_getlength(pfl->blk);
>> +        if (device_len != backing_len) {
>> +            error_setg(errp, "device needs %" PRIu64 " bytes, "
>> +                       "backing file provides only %" PRIu64 " bytes",
>> +                       device_len, backing_len);
>> +            return;
>> +        }
>> +    }
>>  
>>      memory_region_init_rom_device(
>>          &pfl->mem, OBJECT(dev),
>> 
>
> The word "only" implies that the file is too small. It could be too
> large as well (the C expression is right, but the message doesn't
> reflect it).
>
> With the word "only" dropped, I think the message looks fine.
>
>
> Also, now I've checked blk_getlength(). First, it can directly return
> (-ENOMEDIUM). Second, it delegates the job to bdrv_getlength(), which
> itself can return (-EFBIG). Third, bdrv_nb_sectors(), used internally,
> can itself return (-ENOMEDIUM).
>
> For me this is pretty much impossible to follow. Can we:
>
> - use type "int64_t" for "backing_len" in the new code, AND
>
>   - either prove (from the rest of pflash_cfi01_realize()) that
>     "backing_len" is nonnegative, and then *assert* it, plus cast
>     "backing_len" to uint64_t for the comparison;
>
>   - or check for a negative "backing_len" explicitly, and if that
>     happens, fail pflash_cfi01_realize() with an error message that
>     reports *that* failure?
>
> Sorry about the pedantry; I've got no clue what's happening in
> blk_getlength() for real.

László is right, blk_getlength() *can* fail.  It doesn't fail often, so
neglecting to check for failure can go undetected for quite a while.